General

  • Target

    A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

  • Size

    530KB

  • Sample

    220706-t79aeshbb4

  • MD5

    4bf2eedfff6695b5f3fea01022c77b46

  • SHA1

    6e08f77c366deb75ccc05c7e095132ca967d2dca

  • SHA256

    a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa

  • SHA512

    d868367ef491593472eefe5009d5543b71f342406d4cc3a45c24e978a8c2112fe1da7a283918847dd7da4dfd5189d2559a9eebb6c7621ce9c4946513d3037c49

Malware Config

Extracted

Family

redline

Botnet

Choi

C2

192.99.175.89:49887

Targets

    • Target

      A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

    • Size

      530KB

    • MD5

      4bf2eedfff6695b5f3fea01022c77b46

    • SHA1

      6e08f77c366deb75ccc05c7e095132ca967d2dca

    • SHA256

      a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa

    • SHA512

      d868367ef491593472eefe5009d5543b71f342406d4cc3a45c24e978a8c2112fe1da7a283918847dd7da4dfd5189d2559a9eebb6c7621ce9c4946513d3037c49

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks